Sponsoring a canon_user plugin for LDAP lookup

Torsten Schlabach tschlabach at gmx.net
Fri Jan 12 18:49:53 EST 2007 

 > And now just to doublecheck - you actually want just the simple name
 > returned, not the full DN. Correct?

Sure. As this is what Cyrus IMAPd expects.

Without the canon_user, you'd type

AUTH id000012

You wouldn't type

AUTH uid=id000012,ou=user,ou=...

It's getting 1:00 a.m. now where I am. So I hope you got all the info 
and I can go to bed now. I'd really be thankful for you help with that. 
Any probably many others as well.

Regards,
Torsten


Howard Chu schrieb:
> Torsten Schlabach wrote:
> 
>> As long as it serves the purpose. Just recall, please ...
>>
>> If you rewrite some at else.com to id000012 then you need to make sure 
>> that Cyrus IMAPd sees id000012 as it is going to use that as the name 
>> for the mailbox.
>>
>> I need to say ... I am *not* sure about the sequence in which auxprop 
>> and canon_user are called. But isn't it that Cyrus IMAPd will take in 
>> a username, run it through canon_user (in case there is any), then run 
>> the rewritten username through auxprop to retrieve a password and 
>> compare the one that the user inputted to that.
>>
>> So in pseudo-code this would be:
>>
>> username = what the user entered as username
>> password = what the user entered as password
>>
>> username = canon_user(username)
>>
>> correct_password = auxprop(username)
>>
>> if correct_password == password
>>
>>   look for mailbox username
>>
>> endif
>>
>> If I was right with that assumption, than you could do anyting in an 
>> auxprop plugin to find the proper password (what you can indeed do 
>> today already using that authz rewrite rules) but you cannot change 
>> the value of username in the auxprop plugin. Isn't this why there are 
>> two different hooks, i.e. canon_user and auxprop?
> 
> 
> Correct. (Yes, our emails crossed.)
> 
> The ldapdb_connect() function currently in ldapdb.c can serve both 
> purposes, I just need to write a canon_user_server wrapper around it to 
> do the right thing. The other refinement would be to save the LDAP 
> connection handle that canon_user uses, so that auxprop doesn't need to 
> open a new one.
> 
> And now just to doublecheck - you actually want just the simple name 
> returned, not the full DN. Correct?
> 
>>
>> On the other hand, as I said in my initial posting, I think the actual 
>> canon_user plugin would be not too complicated as it would just have 
>> to do a single lookup, i.e. use the given username in an LDAP url to 
>> find an object and return another attribute of that object as the 
>> canonicalized username. E.g. search for mailAlias=someone at else.com and 
>> return the uid attribute of the matched object.
>>

More information about the Cyrus-sasl mailing list